Denial of Service in python-defusedxml
ID: | RHSA-2017:0936-01 |
Distribution: | Red Hat |
Plattformen: | Red Hat Enterprise Linux OpenStack Platform |
Datum: | Mi, 12. April 2017, 23:05 |
Referenzen: | https://access.redhat.com/security/cve/CVE-2016-10149 |
Applikationen: | python-defusedxml |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python-defusedxml and python-pysaml2 security update Advisory ID: RHSA-2017:0936-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2017:0936 Issue date: 2017-04-12 CVE Names: CVE-2016-10149 ===================================================================== 1. Summary: An update for python-defusedxml and python-pysaml2 is now available for Red Hat OpenStack Platform 8.0 (Liberty). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 8.0 (Liberty) - noarch 3. Description: The defusedxml package contains several Python-only updates for security vulnerabilities in Python's XML libraries. Defusedxml functions and classes can be used instead of the originals to protect against entity-expansion and DTD-retrieval issues. PySAML2 is the python implementation of SAML Version 2, containing all the functionality for building a SAML2 service provider or an identity provider, to be used in a WSGI environment. Security Fix(es): * An XML entity expansion vulnerability was found in python-pysaml2. A remote attacker could send a crafted request which would cause denial of service through resource exhaustion. (CVE-2016-10149) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1415710 - CVE-2016-10149 python-pysaml2: Entity expansion issue 6. Package List: Red Hat OpenStack Platform 8.0 (Liberty): Source: python-defusedxml-0.5.0-1.el7ost.src.rpm python-pysaml2-3.0.2-3.el7ost.src.rpm noarch: python-defusedxml-0.5.0-1.el7ost.noarch.rpm python-pysaml2-3.0.2-3.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-10149 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is |